End-of-Life (EoL)

Authentication Log Fields in PAN-OS 8.0.5 Through 8.0.10

Authentication syslog field descriptions for PAN-OS 8.0.5 through 8.0.10.
FUTURE_USE, Receive Time, Serial Number, Sequence Number, Action Flags, Type, Threat/Content Type, FUTURE_USE, Generated Time, Device Group Hierarchy 1, Device Group Hierarchy 2, Device Group Hierarchy 3, Device Group Hierarchy 4, Virtual System Name, Device Name, Virtual System ID, Virtual System, Source IP, User, Normalize User, Object, Authentication Policy, Authentication ID, Vendor, Log Action, Repeat Count, Server Profile, Description, Client Type, Event Type, Factor Number, Authentication Protocol
Field Name
Receive Time (receive_time or cef-formatted-receive_time)
Time the log was received at the management plane.
Serial Number (serial)
Serial number of the device that generated the log.
Sequence Number (seqno)
A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space.
Action Flags (actionflags)
A bit field indicating if the log was forwarded to Panorama.
Type (type)
Type of log; values are traffic, threat, config, system and hip-match.
Threat/Content Type (subtype)
Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn.
Generated Time (time_generated or cef-formatted-time_generated)
Time the log was generated on the dataplane.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods:
API query:
Virtual System Name (vsys_name)
The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name (device_name)
The hostname of the firewall on which the session was logged.
Virtual System ID (vsys_id)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Virtual System (vsys)
Virtual System associated with the session.
Source IP (ip)
Original session source IP address.
User (user)
End user being authenticated.
Normalize User (normalize_user)
Normalized version of username being authenticated (such as appending a domain name to the username).
Object (object)
Name of the object associated with the system event.
Authentication Policy (authpolicy)
Policy invoked for authentication before allowing access to a protected resource.
Authentication ID (authid)
Unique ID given across primary authentication and additional (multi factor) authentication.
Vendor (vendor)
Vendor providing additional factor authentication.
Log Action (logset)
Log Forwarding Profile that was applied to the session.
Repeat Count (repeatcnt)
Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only.
Server Profile (serverprofile)
Authentication server used for authentication.
Description (desc)
Additional authentication information.
Client Type (clienttype)
Type of client used to complete authentication (such as authentication portal).
Event Type (event)
Result of the authentication attempt.
Factor Number (factorno)
Indicates the use of primary authentication (1) or additional factors (2, 3).
Authentication Protocol (authproto)
Indicates the authentication protocol used by the server. For example, PEAP with GTC.

Recommended For You